b'SEC\xe2\x80\x99s Controls Over Sensitive/Nonpublic\nInformation Collected and Exchanged With the\nFinancial Stability Oversight Council and\nOffice of Financial Research\n\n\n\n\n                                           March 25, 2013\n                                           Report No. 509\n\n\n                 REDACTED PUBLIC VERSION\n\x0c                                               UNIT E D S T ATE S\n                            SECURITIES AND E X CH A NGE COMMISSION\n                                         WAS HIN G T O N , D .C.   20549\n\n\n    OFFICE OF\nINSPECTOFt GENERAL\n\n\n\n\n                                        MEMORANDUM\n                                               March 25, 2013\n\n           To:           Elisse B. Walter, Chairman\n                         Thomas A. Bayer, Director/Chief Information Officer, Office of\n                          Information Technology\n                         Vance Cathell, irector, Office of Acquisitions\n\n           From:         cfil{(.{ff   ec er, Inspector General, Office of Inspector General\n\n           Subject:      SEC\'s Controls Over Sensitive/Nonpublic Information Collected and\n                         Exchanged with the Financial Stability Oversight Council and Office\n                         of Financial Research, Report No. 509\n\n           This memorandum transmits the U.S. Securities and Exchange Commission\n           Office of Inspector General\'s (OIG) final report detailing the results of our audit of\n           the SEC\'s Controls Over Sensitive/Nonpublic Information Collected and\n           Exchanged with the Financial Oversight Council and the Office of Financial\n           Research. The audit was conducted as part of our continuous effort to assess\n           the Commission\'s programs and operations.\n\n           This report contains five recommendations which if fully implemented should\n           strengthen the SEC\'s controls over sensitive and nonpublic information that is\n           collected and exchanged with Financial Oversight Council and Office of Financial\n           Research. The Chairman\'s office, Office of Information Technology, and Office\n           of Acquisitions concurred with all recommendations pertaining to their respective\n           offices. Your written responses to the draft report\'s recommendations are\n           included in Appendix V .\n\n           Within the next 45 days, please provide OIG with a written corrective action plan\n           that addresses the recommendations to your office. The corrective action plan\n           should include information such as the responsible official/point of contact,\n           timeframes for completing required actions, and milestones identifying how the\n           recommendations will be addressed.\n\n\n\n\n        SEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR           March 25, 2013\n        Report No. 509\n                                                    Page i\n\n                                      REDACTED PUBLIC VERSION\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation you and your staff\nextended to our office.\n\nAttachment\n\ncc:\t   Erica Y. Williams, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Daniel M. Gallagher, Commissioner\n       Sara Cortes, Senior Advisor to the Chairman, Office of the Chairman\n       Jeff Heslop, Chief Operating Officer, Office of Chief of Operations\n       Pamela C. Dyson, Deputy Director/Deputy CIO, Office of Information\n         Technology\n       Todd K. Scharf, Associate Director, Chief Information Security Officer,\n         Office of Information Technology\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR    March 25, 2013\nReport No. 509\n                                        Page ii\n\n                          REDACTED PUBLIC VERSION\n\x0cSEC\xe2\x80\x99s Controls Over Sensitive/Nonpublic\nInformation Collected and Exchanged With\nthe Financial Stability Oversight Council and\nOffice of Financial Research\n\n                                     Executive Summary\nBackground. The Financial Stability Oversight Council (FSOC) was created by\nthe Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank\nAct) and is charged with identifying threats to the financial stability of the United\nStates, promoting market discipline, and responding to emerging risks that could\nimpact the stability of the nation\xe2\x80\x99s financial system. 1 The Dodd-Frank Act also\ncreated the Council of Inspectors General on Financial Oversight (CIGFO).\n\nCIGFO was established to facilitate information sharing among the Office of\nInspector Generals (OIG), to provide a forum for discussing work as it relates to\nthe broader financial sector, and provide oversight of the FSOC.\n\nOn April 15, 2011, the Memorandum of Understanding Regarding the Treatment\nof Non-public Information Shared Among Parties Pursuant to the Dodd-Frank-\nWall Street Reform and Consumer Protection Act (MOU) became effective. The\nMOU sets forth the parties\xe2\x80\x99 understanding with respect to the treatment of non-\npublic information that is obtained or shared among the parties in connection with\nor related to the functions and activities of FSOC or the Office of Financial\nResearch (OFR). The OFR was also created by the Dodd-Frank Act and has a\nmission to improve the quality of financial data that is available to policymakers\nand facilitate a robust and sophisticated analysis of the financial systems.\n\nOn December 8, 2011, the CIGFO committee approved the establishment of a\nCIGFO working group (working group) that was composed of staff from the nine\nOIG\xe2\x80\x99s that comprise CIGFO, whose objectives were to examine the controls and\nprotocols that FSOC and its member agencies employed to ensure FSOC\nnonpublic information, deliberations, and decisions are properly safeguarded\nfrom unauthorized disclosure. That working group conducted a joint audit and\nreported the results in Audit of the Financial Stability Oversight Council\xe2\x80\x99s Controls\nover Non-public Information. The SEC OIG conducted this audit to follow up on\ndeficiencies identified in the joint working group\xe2\x80\x99s audit.\n\n\n\n1\n    The United States is also referred to as \xe2\x80\x9cnation.\xe2\x80\x9d\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR       March 25, 2013\nReport No. 509\n                                                         Page iii\n\n                                     REDACTED PUBLIC VERSION\n\x0cObjectives. To examine the controls and protocols the SEC employs to ensure\nthat sensitive and nonpublic information it collects and exchanges with FSOC, its\nmember agencies and OFR, is properly safeguarded from unauthorized\ndisclosure.\n\nResults. Our audit found that SEC employees and contractors who access the\nSEC\xe2\x80\x99s e-mail system using Outlook Web Access (OWA) are not restricted from\nsaving and uploading sensitive or nonpublic information on non-SEC computers.\nConsequently, sensitive or nonpublic information could potentially be disclosed to\nunauthorized persons.\n\nAlso, the SEC has not appointed primary information owners to oversee\ninformation it receives and shares with FSOC, its member agencies, or OFR. In\naddition, a protocol for inventorying and ensuring documents are appropriately\nmarked has not been fully developed. As a result, the SEC may be unable to\nefficiently identify information owners and ensure documents are tracked and\nmarked as appropriate.\n\nFinally, new contractors are not required to take the on-line Security Awareness\ntraining on handling sensitive or nonpublic SEC information for up to 30 days\nafter they are approved to work at the SEC and have a network user account.\nThus, contractors could unintentionally mishandle or disclose sensitive or\nnonpublic SEC information. Therefore, new contractors should be required to\nread and sign the \xe2\x80\x9cRules of the Road\xe2\x80\x9d which covers handling nonpublic or\nsensitive information, prior to being granted access to a network user account.\nDoing so will aid in the contractor being aware of how to properly handle\nsensitive or nonpublic SEC information.\n\nSummary of Recommendations. This report contains five recommendations\nthat were designed to improve the SEC\xe2\x80\x99s controls over sensitive and nonpublic\ndocuments it collects or exchanges with FSOC and OFR. Specifically, we\nrecommended the Office of Information Technology (OIT) develop controls to\nprevent remote users from saving files accessed using Outlook Web Access to\npublic computers.\n\nFurther, the Office of the Chairman should work with OIT to: (1) assign points of\ncontact to serve as information owners, (2) develop a system to identify and track\nsensitive and nonpublic documents, and (3) devise procedures information\nowners should use to mark documents according to the sensitivity level, for all\nsensitive and nonpublic documents that are either provided to, or are received\nfrom FSOC or OFR.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR   March 25, 2013\nReport No. 509\n                                        Page iv\n\n                          REDACTED PUBLIC VERSION\n\x0cFinally, the Office of Acquisitions should work with OIT to ensure new contractors\nare provided with the Rules of the Road to read and sign before they are given\naccess to the SEC\xe2\x80\x99s systems.\n\nManagement\xe2\x80\x99s Response to the Report\xe2\x80\x99s Recommendations. OIG provided\nSEC management with the formal draft report on March 13, 2013. SEC\nmanagement concurred with all recommendations in this report. OIG considers\nthe report recommendations resolved. However, the recommendations will\nremain open until documentation is provided to OIG that supports each\nrecommendation has been fully implemented. SEC management\xe2\x80\x99s response to\neach recommendation and OIG\xe2\x80\x99s analysis of their responses are presented after\neach recommendation in the body of this report.\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                        Page v\n\n                          REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\n\nTable of Contents ........................................................................................................vii\n\n\nBackground and Objective .................................................................................... 1\n\n     Background ....................................................................................................... 1\n\n     Objective ............................................................................................................ 3\n\n\nFindings and Recommendations .......................................................................... 4\n\n\n         Finding 1: Lack of Remote Access Controls May Put Sensitive and \n\n         Nonpublic Information at Risk of Unauthorized Disclosure ................................ 4\n\n                      Recommendation 1....................................................................... 7\n\n\n         Finding 2: The SEC\xe2\x80\x99s Protocol For Inventorying, Tracking, and Marking\n\n         Information Collected by and Exchanged With FSOC, its Member \n\n         Agencies, and OFR Needs Improvement ........................................................... 7\n\n                      Recommendation 2..................................................................... 10\n\n                      Recommendation 3..................................................................... 10\n\n                      Recommendation 4..................................................................... 11\n\n\n         Finding 3: New Contractors Are Not Provided Training on Handling\n\n         Sensitive and Nonpublic Information in a Timely Manner ............................... 11\n\n                      Recommendation 5..................................................................... 13\n\n\nAppendices\n\n    Appendix I: Abbreviations and Definitions. ...................................................... 14\n\n    Appendix II: Scope and Methodology .............................................................. 15\n\n    Appendix III: Criteria ........................................................................................ 17\n\n    Appendix IV: List of Recommendations .......................................................... 18\n\n    Appendix V: Management Comments............................................................. 19\n\n\nTables\n     Table1: Remote Operation Utilities Available at the SEC ................................... 5\n\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                                 March 25, 2013\n\nReport No. 509\n\n                                                     Page vii\n\n\n                                   REDACTED PUBLIC VERSION\n\x0c                    Background and Objectives\n\n\nBackground\nThe Financial Stability Oversight Council (FSOC) was created by Dodd-Frank\nWall Street Reform and Consumer Protection Act (Dodd-Frank Act) and is\ncharged with identifying threats to the financial stability of the United States\n(U.S.), promoting market discipline, and responding to emerging risks that could\nimpact the stability of the nation\xe2\x80\x99s financial system. 2\n\nAmong other significant provisions, Dodd-Frank Act created the Council of\nInspectors General on Financial Oversight (CIGFO). CIGFO includes Inspectors\nGeneral from the following nine major Federal government financial entities:\n\n    (1) Board of Governors of the Federal Reserve System.\n    (2) Commodity Futures Trading Commission.\n    (3) Department of Housing and Urban Development.\n    (4) Department of the Treasury.\n    (5) Federal Deposit Insurance Corporation (FDIC).\n    (6) Federal Housing Finance Agency.\n    (7) National Credit Union Administration.\n    (8) Securities and Exchange Commission (SEC or Commission).\n    (9) Special Inspector General for the Troubled Asset Relief Program.\n\nCIGFO was established to:\n\n    (1) facilitate information sharing among the Office of Inspector\n\n        Generals (OIG);\n\n    (2) provide a forum for discussing work as it relates to the broader\n\n        financial sector; and \n\n    (3) provide oversight of the FSOC.\n\nOn April 15, 2011, the Memorandum of Understanding Regarding the Treatment\nof Non-public Information Shared Among Parties Pursuant to the Dodd-Frank-\nWall Street Reform and Consumer Protection Act (MOU) became effective. The\nMOU was signed by SEC and 15 designated parties, 3 to include other federal\nfinancial regulatory agencies. 4 The MOU sets forth the parties\xe2\x80\x99 understanding\n\n2\n  The United States is also referred to as \xe2\x80\x9cnation.\xe2\x80\x9d\n\n3\n  Designated \xe2\x80\x9cParties\xe2\x80\x9d are also referred to as member agencies. These \xe2\x80\x9cParties\xe2\x80\x9d are comprised of the \n\nOffice of Financial Research (OFR), FSOC, and, and its member agencies. \n\n4\n  Financial regulatory agencies are also referred to as financial entities in the MOU.\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                        March 25, 2013\nReport No. 509\n                                                Page 1\n\n                                REDACTED PUBLIC VERSION\n\x0cwith respect to the treatment of nonpublic information that is obtained or shared\namong the parties in connection with, or related to the functions and activities of\nFSOC or the Office of Financial Research (OFR). 5 The OFR was established by\nthe Dodd-Frank Wall Street Reform and Consumer Protection Act. Its mission is\nto improve the quality of financial data that is available to policymakers and to\nfacilitate a robust and sophisticated analysis of the financial systems.\n\nThe MOU defines nonpublic information as:\n\n        any data, information, or reports submitted, received or shared\n        among the Parties in connection with or related to the functions and\n        activities of the FSOC or the Office of Financial Research. 6\n\nAlso, the MOU provides the terms and agreements as determined by the signing\nparties. The MOU parties agreed not to disclose information that is shared\nbetween the parties without first receiving written consent from the providing\nparty.\n\nThe SEC defines nonpublic information as:\n\n        information generated by or in the possession of the SEC that is\n        commercially valuable, market sensitive, proprietary, related to an\n        enforcement or examination matter, subject to privilege, or\n        otherwise deemed nonpublic by a division director or office head,\n        and not otherwise available to the public. This policy applies to\n        nonpublic information in any form including documents, electronic\n        mail, computer files, conversations, and audio or video recordings. 7\n\nOn December 8, 2011, the CIGFO Committee approved the establishment of a\nCIGFO working group (working group) composed of staff from the nine OIG\xe2\x80\x99s\nthat comprise CIGFO, whose objectives were to examine the controls and\nprotocols that FSOC and its member agencies employed to ensure FSOC\nnonpublic information, deliberations, and decisions are properly safeguarded\nfrom unauthorized disclosure. To accomplish its objective, the working group\nconducted a joint audit of the major federal government financial entity\xe2\x80\x99s\nbusiness practices related to the industry standards and practices that are\nestablished in the National Institute of Technology (NIST) special publications. 8\nSpecifically, in March 2012, the working group members conducted an audit of\ntheir respective agency\xe2\x80\x99s management and internal controls over sensitive and\n\n5\n  The MOU was effective on April 15, 2011, and the SEC signed it on May 2, 2011.\n6\n  Memorandum of Understanding Regarding the Treatment of Non-public Information Shared Among Parties\n\nPursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act, effective April 15, 2011, p. 1.\n\n7\n  SECR 23-2a, Security-Safeguarding Non-Public Information, January 21, 2000, p. 1.\n\n8\n  The National Institute of Technology (NIST) Special Publications consist of a series of reports on NIST\n\nresearch, guidelines, and outreach efforts in information system security.\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                        March 25, 2013\nReport No. 509\n                                                Page 2\n\n                                REDACTED PUBLIC VERSION\n\x0cproprietary (non-public) information that was collected by and exchanged with\nFSOC, its member agencies, and OFR. The audit was spearheaded by FDIC\nOIG, who met regularly with working group members. Working group members\nused a standardized audit program to ensure audit steps and testing among\nOIG\xe2\x80\x99s was consistent.\n\nFindings for the joint audit were incorporated into a consolidated report, Audit of\nthe Financial Stability Oversight Council\xe2\x80\x99s Controls over Non-public Information,\nwhich was issued on June 22, 2012, to the Chairman of FSOC. While the report\ndid not make any recommendations, it identified differences in how FSOC and its\nmember agencies\xe2\x80\x99 mark nonpublic information. For example, nonpublic\ninformation marked as \xe2\x80\x9csensitive\xe2\x80\x9d in one agency is marked as \xe2\x80\x9crestricted\xe2\x80\x9d in\nanother agency. In addition, the report identified control differences in how non-\npublic information is handled in areas related to oral communication,\nsupplemental prohibition on financial interest, contractor confidentiality and\nnondisclosure, encryption, and protocol for tracking information exchange. 9\n\nPurpose. OIG conducted this audit to follow up with the deficiencies we\nidentified during the joint audit. Specifically, our purpose was to further assess\nthe SEC\xe2\x80\x99s controls over sensitive and nonpublic information that is collected by\nand exchanged with FSOC, its member agencies and OFR, and determine\nadherence to the MOU requirements for handling sensitive and non-public\ninformation. 10 Our audit did include inquiries regarding unauthorized disclosure\nof sensitive or nonpublic information.\n\nObjective\nTo examine the controls and protocols the SEC employs to ensure that sensitive\nand nonpublic information it collects and exchanges with FSOC, its member\nagencies and OFR, is properly safeguarded from unauthorized disclosure.\n\n\n\n\n9\n  Audit of the Financial Stability Oversight Council\xe2\x80\x99s Controls over Non-public Information, Report to the\nFinancial Stability Oversight Council and the Congress, June 22, 2012, p. 9.\n10\n   OIT defines sensitive as \xe2\x80\x9cInformation about a company or individual that has been collected by the SEC\nbut is not for public disclosure. In general, all such data, which are categorized as either \xe2\x80\x9cNon-Public (SEC\nRestricted)\xe2\x80\x9d or \xe2\x80\x9cNon-Public (SEC Use Only),\xe2\x80\x9d shall be masked.\xe2\x80\x9d\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                            March 25, 2013\nReport No. 509\n                                                  Page 3\n\n                                 REDACTED PUBLIC VERSION\n\x0c               Findings and Recommendations\n\n\nFinding 1: Lack of Remote Access Controls May\nPut Sensitive and Nonpublic Information at Risk\nof Unauthorized Disclosure\n         SEC employees and contractors accessing SEC\xe2\x80\x99s e-mail\n         system using Outlook Web Access (OWA) are not restricted\n         from saving and uploading sensitive or nonpublic information\n         on non-SEC computers. Consequently, sensitive or non-\n         public information could potentially be disclosed to\n         unauthorized persons. 11\n\nThe Office of Information Technology\xe2\x80\x99s (OIT) has issued policy prohibiting SEC\nnetwork users (employees and contractors) from saving or uploading sensitive or\nnonpublic information onto non-SEC computers, unless the computer is equipped\nwith SEC-approved remote operation utilities. Currently, the SEC does not have\nany controls that restrict or prevent employees and contractors who use OWA\nfrom uploading or saving information which includes sensitive/nonpublic, to a\nnon-SEC computer. The onus is on SEC network users to comply with OIT\xe2\x80\x99s\npolicy.\n\nOIT\xe2\x80\x99s Rules of the Road, Rule #7: Don\xe2\x80\x99t Transmit Non-public or Sensitive\nInformation over Non-secure Systems states, 12\n\n         Users of the SEC network and automated systems must also\n         understand that sensitive or nonpublic information may NOT\n         be processed on non-SEC workstations unless such\n         workstations are equipped with SEC-approved remote\n         operation utilities, such as     software.\n\nIn addition, OIT\xe2\x80\x99s Implementing Instruction 24-04.02.01(01.0) Sensitive Data\nProtection, issued April 6, 2006 states,\n\n         The SEC may take appropriate action to ensure that\n\n         unauthorized individuals cannot read, copy, alter, or steal\n\n         printed or electronic SEC sensitive information. 13\n\n\n11\n   SEC personnel include employees, detailees, and interns and are referred to as \xe2\x80\x9cSEC staff.\xe2\x80\x9d\n\n12\n   The Rules of the Road apply to all SEC staff and contractors.\n\n13\n   Implementing Instruction 24-04.02.01(01.0) Sensitive Data Protection, Section 5.d(5), April 6, 2006.\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                           March 25, 2013\nReport No. 509\n                                                  Page 4\n\n                                 REDACTED PUBLIC VERSION\n\x0cCurrently, the Commission allows employees and contractors who handle\nsensitive and nonpublic information to work at offsite locations using non-SEC\ncomputers to access the SEC\xe2\x80\x99s network. This is done using approved, secured\nremote operation utilities such as OWA, SEC\xe2\x80\x99s remote electronic terminals portal\n        , Virtual Private Network (VPN), or the\n           Full descriptions of these remote operation utilities are identified below\nin Table 1. Employees and contractors can use these utilities to connect to the\nagency\xe2\x80\x99s network from a SEC-issued desktop/laptop or using a non-SEC\ncomputer such as a public, company-owned, or personal desktop/laptop.\n\n        Table 1: Remote Operation Utilities Available at the SEC\n             Remote                                      Description\n            Operation\n             Utilities\n         Outlook Web           A web-based application that allows users to check e-mail\n         Access                from both SEC-issued and non-SEC issued computers.\n\n\n\n\n         VPN                   A remote access solution that offers a secure solution to\n                               access SEC e-mail, network drives, and applications using\n                               a SEC-issued computer.\n\n\n\n       Source: OIG Generated.\n\nSEC-issued computers are equipped with remote operation utilities and are\nconfigured to meet OIT\xe2\x80\x99s defined baseline security requirements. Also, they\nhave parameters that are designed to protect data that is saved on the computer\nfrom unauthorized disclosure. These computers have controls and protections\n(baseline security requirements) such as, anti-virus, anti-malware, firewalls,\nintrusion detection, and hard disk encryption that aids in preventing unauthorized\naccess to SEC data.\n\nIn contrast, non-SEC computers which include public computers, are configured\nto meet the computer owner\xe2\x80\x99s requirements, which likely do not meet OIT\xe2\x80\x99s\ndefined baseline security requirements for protecting SEC data. Consequently,\nthese computers may not have adequate controls and protections (e.g.,\nencryption, anti-virus, anti-spyware) to prevent unauthorized access of nonpublic\nSEC information or the information from being disclosed to unauthorized\npersons.\n14\n   The Commission employs four remote operation utilities that provide similar, but somewhat different\nattributes. These remote operation utilities serve as alternatives solutions SEC personnel can use to access\nthe SEC\xe2\x80\x99s network in the event one of the four solutions becomes unstable or is inoperable.\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                          March 25, 2013\nReport No. 509\n                                                 Page 5\n\n                                REDACTED PUBLIC VERSION\n\x0cEmployees and contractors can remotely connect onto the SEC\xe2\x80\x99s network via\nSEC-issued computers by using OWA,              , or VPN. Also, they can remotely\nconnect to the network via non-SEC computers by using OWA,\n                  allow staff using a non-SEC computer to save and upload files\ndirectly to the SEC\xe2\x80\x99s network, but the files cannot be uploaded and saved to the\ncomputer. Conversely, agency network users who remotely access their e-mail\nvia a non-SEC computer using OWA can save and upload e-mails and\nattachments, which could include sensitive or nonpublic information, to the non-\nSEC computer.\n\nOWA does not have controls to prevent users accessing the agency\xe2\x80\x99s network\nfrom non-SEC computers from saving and uploading information onto a non-SEC\ncomputer. As a result, sensitive or nonpublic information could potentially be\nsaved to a non-SEC computer. Therefore, there is a risk that an unauthorized\nperson could gain access to sensitive or nonpublic SEC information if the user\nsaved files that were obtained using OWA onto a non-SEC computer.\n\nThough the SEC has policies and procedures regarding handling and\nsafeguarding sensitive/nonpublic information and requires staff to attend annual\nsecurity awareness training, this information could potentially be disclosed\nbecause SEC employees and contractors have the ability to save and upload\ndocuments onto non-SEC computers when using OWA. For example, if a user\nremotely accesses the SEC network using OWA from a hotel computer and\ndownloads sensitive information or nonpublic from their e-mail to the hotel\xe2\x80\x99s\ncomputer and does not remove or delete it from the hotel computer, the file can\nbe accessed by subsequent users. Therefore, there is a risk that sensitive or\nnonpublic SEC information can potentially be seen, read, copied, altered, printed,\nor stolen by unauthorized persons.\n\nConclusion. The ability for SEC personnel who access SEC e-mails using OWA\nto save and upload information onto non-SEC computers is an internal control\nweakness that should be further reviewed to assess risk to the Commission.\nImplementing Instruction 24-04.02.01 (01.0) requires that appropriate action is\ntaken to ensure \xe2\x80\x9cunauthorized individuals cannot read, copy, alter, print, or steal\nelectronic SEC sensitive information.\xe2\x80\x9d15 However, by not having a control in\nplace that restricts or prevents SEC personnel using OWA from saving or\nuploading documents onto a non-SEC computer, sensitive or non-public\ninformation could potentially be disclosed to unauthorized persons. OIT should\nensure controls are developed for OWA users that are consistent with\n                that disallow files from being uploaded and saved onto non-SEC\ncomputers.\n\n15\n     Implementing Instruction 24-04.02.01(01.0) Sensitive Data Protection, Section 5.d(5), April 6, 2006.\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                             March 25, 2013\nReport No. 509\n                                                    Page 6\n\n                                   REDACTED PUBLIC VERSION\n\x0c       Recommendation 1:\n\n       The Office of Information Technology should develop controls that prevent\n       remote users from saving files accessed using Outlook Web Access to\n       public computers.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation. OIG considers this recommendation resolved.\n       However, this recommendation will remain open until documentation is\n       provided to OIG that supports it has been fully implemented.\n\n\nFinding 2: The SEC\xe2\x80\x99s Protocol for Inventorying,\nTracking, and Marking Information Collected by\nand Exchanged with FSOC, its Member Agencies,\nand OFR Needs Improvement\n       The SEC has not appointed a primary information owner to\n       oversee information it receives and shares with FSOC, its\n       member agencies, or OFR. In addition, a protocol for\n       inventorying and ensuring that information is appropriately\n       marked has not been fully developed. As a result, the SEC\n       may be unable to readily identify information owners and\n       ensure documents are tracked and marked as appropriate.\n\nThe SEC does not have any primary points of contact (POC) to oversee sensitive\nand nonpublic information that is requested, provided, or received to/from its\nparties to the FSOC MOU. Additionally, the SEC has not fully developed a\nprotocol for inventorying, tracking, and ensuring that sensitive/nonpublic\ninformation that is shared among the FSOC, its member agencies, and the OFR\nis appropriately marked for classification purposes and to assure the\nconfidentiality of the information is maintained in accordance with the MOUs\nterms. OIG was informed the SEC exchanges sensitive or nonpublic information\nwith FSOC using a secured e-mail portal.\n\nThe Commission\xe2\x80\x99s policy for handling and marking sensitive information that is\nobtained from third parties. Specifically, the policy II 24-04.02.01 (01.0) states,\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR       March 25, 2013\nReport No. 509\n                                        Page 7\n\n                          REDACTED PUBLIC VERSION\n\x0c         \xe2\x80\xa6all \xe2\x80\x98Non-Public (SEC Restricted)\xe2\x80\x99 or \xe2\x80\x98Non-Public (SEC Use Only)\xe2\x80\x99\n         must be labeled in accordance with the SEC\xe2\x80\x99s guidance for labeling\n         or marking, handling, and safeguarding such information as\n         provided in SECR 23-2a. 16 In the course of normal business\n         activities, the SEC often takes possession of third-party unclassified\n         sensitive information. Whenever a non-disclosure agreement\n         (NDA) has been signed, an internal SEC information owner should\n         be assigned for information so received. \xe2\x80\xa6This third-party\n         information must be labeled with the appropriate data category and\n         treated as though it was \xe2\x80\x98Non-Public (SEC Restricted)\xe2\x80\x99 or \xe2\x80\x98Non-\n         Public (SEC Use Only)\xe2\x80\x99 internal information with the same security\n         categorization. 17\n\n         \xe2\x80\xa6sensitive information [to] be marked as appropriate by the\n         primary information user. Internal/External labeling is required for\n         all sensitive material and may be in the form of special handling\n         instructions, classification, or control logging information such as\n         serial/controls numbers or bar codes. 18\n\nTo ensure full compliance with its MOU with FSOC, the SEC must be able to\ntrack the information it receives and exchanges with the MOU parties. While\nSEC policy requires information owners are assigned to receive information from\nthird parties, the SEC has not designated a primary person or persons to serve in\nthis capacity for FSOC purposes. Although a primary POC has not been\ndesignated, Commission employees who have collected or have exchanged data\nwith FSOC, member agencies or OFR, have individually assumed responsibility\nfor sensitive/non-public data. The current process lacks sufficient controls and\naccountability for tracking who has accessed, collected, or exchanged data with\nFSOC. 19\n\nOur audit also found that the SEC does not have a formal protocol or procedures\nrelated to the FSOC\'s function to inventory, track, and ensure sensitive and non-\npublic information that is shared or received with FSOC, its member agencies,\nand OFR is appropriately marked for classification purposes. SEC information\nowners informed us they primarily rely on the secured e-mail portal to inventory\nand track information, but do not readily \xe2\x80\x9cmark\xe2\x80\x9d the data they receive from the\nFSOC, its member agencies, or OFR. Hence, the email portal only provides an\n\n16\n   SECR 23-2a is an SEC Administrative Regulation entitled Security: Safeguarding Non-Public Information\n\n(January 21, 2000) establishes general policies and procedures that are designed to enhance the \n\nmanagement controls for safeguarding non-public information.\n\n17\n   II 24-04.02.01, Sensitive Data Protection, April 6, 2006, p. 2 of 8, Section 5.b(4).\n\n18\n   Ibid, 5.d(2).\n\n19\n   Commission staff located in the Division of Trading and Markets; Division of Risk, Strategy, and Financial\n\nInnovation; Division of Investment Management, Office of General Counsel; and the Office of the Chairman\n\nare responsible for handling data collected and exchanged with FSOC, its member agencies, and OFR.\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                           March 25, 2013\nReport No. 509\n                                                  Page 8\n\n                                 REDACTED PUBLIC VERSION\n\x0cinventory of e-mails that are exchanged between the SEC information owners,\nFSOC, member agencies, or OFR. Consequently, the e-mail portal cannot track\ninformation that is collected or exchanged through other avenues such as CD\xe2\x80\x99s,\nthumb drives, meetings, conferences/seminars, etc. Additionally, when an SEC\ninformation owner terminates their employment with the Commission, their e-\nmails from the portal may need to be retrieved to identify FSOC, its member\nagencies, and OFR sensitive or nonpublic information. This process could prove\nto be time consuming. Using the secured email portal lacks sufficient controls\nover information exchanged between the SEC and FSOC that is outside of the e-\nmail system. Further, the secured e-mail system lacks efficient controls for\ncontinuity purposes.\n\nFurthermore, our audit found that information owners who receive sensitive or\nnonpublic information (paper or electronic documents) from FSOC, its member\nagencies, or OFR, are not marking the documents in accordance with II 24\xc2\xad\n04.02.01 (01.0), or in a timely manner. Ensuring documents are properly marked\nwhen initially received increases the likelihood that the confidentiality of the\ninformation collected and exchanged with the various parties is being maintained\nand handled appropriately.\n\nOIG determined that the Commission\xe2\x80\x99s current practices limit its ability to ensure\ninformation owners readily track and identify the universe of sensitive and non-\npublic information the SEC receives and exchanges with FSOC, its member\nagencies or OFR because the SEC does not have a primary or alternate POC\nand relies on its secured email portal to track exchanged or collected information,\nthey cannot readily identify its universe of information that is not transmitted via\nemail and assure paper documents are appropriately \xe2\x80\x9cmarked\xe2\x80\x9d in a timely\nmanner. Therefore, the SEC\xe2\x80\x99s ability to readily identify information owners (e.g.,\nproviding or receiving party), ensure documents are properly marked and\nhandled, or are authorized for release and are easily identified for third party\nSEC requests for information, cannot be assured.\n\nWe further found the SEC is collecting information using the \xe2\x80\x9cReporting Form for\nInvestment Advisers to Private Funds and Certain Commodity Pool Operators\nand Commodity Trading Advisors\xe2\x80\x9d (Form PF). The SEC adopted this form on\nOctober 31, 2011 to provide information to FSOC to assist in assessing systemic\nrisk in the U.S. financial system. The Division of Investment Management (IM)\nuses the Form PF to collect reporting information from investment advisers to\nprivate funds and certain commodity pool operators and commodity trading\nadvisors. Information collected using the Form PF is provided to OFR, on behalf\nof FSOC. IM\xe2\x80\x99s staff informed OIG it has worked with OFR to establish Form PF\nprinciples for data sharing that governs OFR\xe2\x80\x99s use of the information.\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                        Page 9\n\n                          REDACTED PUBLIC VERSION\n\x0cThough the Commission has information owners, primary POCs should be\nappointed to ensure the SEC has designated staff who provide oversight for\ninformation the SEC receives and exchanges with FSOC, its member agencies,\nor OFR. Further, the SEC should develop a viable system such as a centralized\nrepository, to track the universe of information it receives and exchanges with the\nparties, to include information that is contained in secured emails, CD\xe2\x80\x99s, thumb\ndrives, external drives, and at meetings, conferences, or seminars. The primary\nPOCs should further ensure information owners appropriately \xe2\x80\x9cmark\xe2\x80\x9d the\ndocuments in a timely manner.\n\nAdopting these changes will better align the SEC with the MOU\xe2\x80\x99s requirements to\nbe able to track information it receives and exchanges with FSOC. Further, it will\nalign the SEC with II 24-04.02.01 (01.0), which requires an information owner is\nassigned to receive information from third parties.\n\nAppointing POCs and developing a viable system or protocol are crucial to the\nSEC\xe2\x80\x99s ability to efficiently identify all information that has been requested,\nprovided, or received to/from the parties, as well as the source/owners of the\ninformation will result in the SEC having better internal controls over these areas.\n\n       Recommendation 2:\n\n       The Office of the Chairman in coordination with the Office of Information\n       Technology should assign points of contact to serve as information\n       owners for sensitive and nonpublic documents provided to, or received\n       from the Financial Stability Oversight Council (FSOC), the Office of\n       Financial Research or FSOC\xe2\x80\x99s member agencies.\n\n       Management Comments. The Chairman\xe2\x80\x99s office concurred with this\n       recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased the Chairman\xe2\x80\x99s office concurred with this\n       recommendation. OIG considers this recommendation resolved.\n       However, this recommendation will remain open until documentation is\n       provided to OIG that supports it has been fully implemented.\n\n       Recommendation 3:\n\n       The Office of the Chairman in coordination with the Office of Information\n       Technology should ensure a system or protocols are developed to identify\n       and track all sensitive and nonpublic information provided to, or received\n       from the Financial Stability Oversight Council (FSOC), the Office of\n       Financial Research or FSOC\xe2\x80\x99s member agencies. This system should\n       track information owner\xe2\x80\x99s name, date information is received/sent, who the\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                       Page 10\n\n                          REDACTED PUBLIC VERSION\n\x0c       information is sent to/received from, and media used (e.g., CDs, thumb\n       drives, etc.).\n\n       Management Comments. The Chairman\xe2\x80\x99s office concurred with this\n       recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased the Chairman\xe2\x80\x99s office concurred with this\n       recommendation. OIG considers this recommendation resolved.\n       However, this recommendation will remain open until documentation is\n       provided to OIG that supports it has been fully implemented.\n\n       Recommendation 4:\n\n       The Office of the Chairman in coordination with the Office of Information\n       Technology should ensure documented procedures are developed to\n       assure individuals that serve as information owners for sensitive and non-\n       public information provided to, or received from the Financial Stability\n       Oversight Council (FSOC), the Office of Financial Research or FSOC\xe2\x80\x99s\n       member agencies, properly mark the documents (or files containing\n       documents) according to the sensitivity level.\n\n       Management Comments. The Chairman\xe2\x80\x99s office concurred with this\n       recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased the Chairman\xe2\x80\x99s office concurred with this\n       recommendation. OIG considers this recommendation resolved.\n       However, this recommendation will remain open until documentation is\n       provided to OIG that supports it has been fully implemented.\n\n\nFinding 3: New Contractors Are Not Provided\nTraining on Handling Sensitive and Nonpublic\nInformation in a Timely Manner\n       Newly assigned contractors working with FSOC, its member\n       agencies, and the OFR information are not promptly and\n       adequately trained on how to handle sensitive or nonpublic\n       information. As a result, a contractor could unintentionally\n       mishandle or disclose nonpublic information the SEC\n       collects and exchanges with the parties.\n\nThe SEC employs contractors who could potentially work with nonpublic\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                       Page 11\n\n                          REDACTED PUBLIC VERSION\n\x0cinformation FSOC, its member agencies, and OFR. 20 Contractors have the\nsame security controls requirements over sensitive and nonpublic information\nthat applies to SEC employees. New contractors are required to read and sign\nan NDA before receiving approval to work at the SEC. However, they are not\nrequired to immediately complete the Security Awareness training which covers\nOIT\xe2\x80\x99s \xe2\x80\x9cRules of the Road,\xe2\x80\x9d and \xe2\x80\x9cProhibited Practices Concerning Non-Public\nInformation,\xe2\x80\x9d or sign a compliance statement acknowledging they understand\nand will comply with the SEC\xe2\x80\x99s \xe2\x80\x9cRules of the Road.\xe2\x80\x9d According to OIT, after\nsigning the NDA, the contractor has an understanding of how to properly handle\nnonpublic information and believes they are then aware of non-disclosure\nrequirements covered in the NDA. 21\n\nThe NDA includes language stating the contractor agrees \xe2\x80\x9cnot to disclose to any\nunauthorized person any confidential or nonpublic documents or information.\xe2\x80\x9d22\nWhile the NDA defines confidential and nonpublic information and informs the\ncontractor they should not disclose \xe2\x80\x9cconfidential or non-public information in any\nform, including documents, electronic mail, computer files, conversations, and\naudio or video recordings,\xe2\x80\x9d it does not include the SEC\xe2\x80\x99s requirements for\nhandling confidential or nonpublic information. Further, the NDA does not\ninclude language that describes what the SEC defines as prohibited practices\nconcerning nonpublic information. For example, a prohibited practice concerning\nnonpublic information that is outlined in the Rules of the Road, Rule #7 states,\n\n         DO NOT transmit non-public information or sensitive data through\n         the Internet or via e-mail, unless you have encrypted it using the\n         SEC\xe2\x80\x99s approved encryption software. DO NOT store or transmit\n         non-public information or sensitive data on SEC IT resources\n         without proper protection/encryption. 23\n\nNew SEC employees are required to complete on-line Security Awareness\ntraining within 30 days (15 days for interns) after receiving their user account.\nFurther, new SEC employees receive training on handling sensitive, nonpublic\ninformation during the new employees\xe2\x80\x99 orientation. This training informs new\nemployees that sensitive/nonpublic information cannot be transmitted external to\nthe SEC unless it is encrypted. In addition, new employees are given a copy of\nthe Rules of the Road to read and sign indicating they will adhere to the policy.\n\nUnlike employees, new contractors also are not required to take the on-line\nSecurity Awareness training on how to handle sensitive or nonpublic information\nfor up to 30 days after they are approved to work at the SEC and have received a\n\n20\n   The SEC uses contractors to support the agency in achieving its mission.\n\n21\n   The Rules of the Road are available to all network users on the SEC Insider intranet.\n\n22\n   Employee non-disclosure agreement, Attachment J-2, Section C. \n\n23\n   SEC\xe2\x80\x99s Rules of the Road, Rule #7.\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                           March 25, 2013\nReport No. 509\n                                                 Page 12\n\n                                 REDACTED PUBLIC VERSION\n\x0cnetwork user account. This time gap increases the likelihood the contractor\ncould unintentionally mishandle or disclose sensitive/nonpublic information.\n\nAlthough the Office of Acquisitions (OA) asserts they provided training to\nContracting Officer\xe2\x80\x99s Representatives regarding the requirement to have new\ncontractors read and sign the Rules of the Road before starting work at the SEC,\nwe were not provided evidence this process has started. OIT informed us they\nare working with OA regarding this matter.\n\nOIG determined that upon being approved to work on a SEC contract,\ncontractors should be given a copy of the Rules of the Road to read and sign\nindicating they will adhere to this policy which covers handling sensitive and\nnonpublic information.\n\n       Recommendation 5:\n\n       The Office of Acquisitions, in coordination with the Office of Information\n       Technology should ensure that new contractors with the Commission are\n       given a copy of the \xe2\x80\x9cRules of the Road\xe2\x80\x9d to read and sign indicating they\n       will adhere to the policy before they are given access to the agency\xe2\x80\x99s\n       systems.\n\n       Management Comments. The Chairman\xe2\x80\x99s office concurred with this\n       recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased the Chairman\xe2\x80\x99s office concurred with this\n       recommendation. OIG considers this recommendation resolved.\n       However, this recommendation will remain open until documentation is\n       provided to OIG that supports it has been fully implemented.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR    March 25, 2013\nReport No. 509\n                                       Page 13\n\n                          REDACTED PUBLIC VERSION\n\x0c                    Abbreviations and Definitions\n\n\n          CIGFO              Council of Inspectors General on Financial\n                             Oversight\n\n          Dodd-Frank         Dodd-Frank Wall Street Reform and Consumer\n          Act                Protection Act\n          FDIC               Federal Deposit Insurance Corporation\n          Form PF            Reporting Form for Investment Advisers to Private\n                             Funds and Certain Commodity Pool Operators and\n                             Commodity Trading Advisors\n          FSOC               Financial Stability Oversight Council\n\n          IG                 Inspector General\n          IM                 Office of Investment Management\n          MOU                Memorandum of Understanding \xe2\x80\x9cRegarding the\n                             Treatment of Non-public Information Shared Among\n                             Parties Pursuant to the Dodd-Frank Wall Street\n                             Reform and Consumer Protection Act\xe2\x80\x9d\n          NDA                Non-Disclosure Agreement\n          NIST               National Institute of Standards and Technology\n          OA                 Office of Acquisitions\n          OFR                Office of Financial Research\n          OIG                Office of Inspector General\n          OIT                Office of Information Technology\n          OWA                Outlook Web Access\n          Parties            Consist of the Financial Stability Oversight Council\n                             and the Office of Financial Research\n          POC                Point of Contact\n          SEC or             U.S. Securities and Exchange Commission\n          Commission\n          SEC                Groups identified in certain offices and divisions\n          Information        who serve as Financial Stability Oversight Council\n          Owners             and the Office of Financial Research information\n                             owners.\n          SEC Staff          SEC employees, detailees, and interns\n          U.S.               United States\n          VPN                Virtual Private Network\n          Working Group      CIGFO Working Group\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                       Page 14\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix II\n\n\n                      Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\nWe conducted our performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective.\nWe believe that the evidence we obtained provides a reasonable basis for our\nfindings and conclusions, based on our audit objective.\n\nScope. We conducted our fieldwork from February 2012 to September 2012,\nand reviewed the SEC\xe2\x80\x99s management and internal controls over sensitive and\nnonpublic information collected by and exchanged with the FSOC, its member\nagencies, and the OFR. The scope of this audit included a survey of the SEC\xe2\x80\x99s\ncontrols and protocols the SEC applied to safeguard from unauthorized\ndisclosure and track sensitive and nonpublic information that was collected by or\nexchanged with FSOC, its member agencies, and the OFR. The scope of the\naudit did not include an inquiry into whether there was any unauthorized\ndisclosure of confidential information.\n\nMethodology. To meet the objective of examining the controls and protocols the\nSEC employs to ensure that FSOC, its member agencies, and the sensitive and\nnonpublic information, including deliberations, and decisions, were properly\nsafeguarded against unauthorized disclosure. We distributed a survey to and\nconducted interviews with select personnel in the Office of the Chairman, Office\nof General Counsel, Office of Ethics, OIT, Division of Trading and Markets, IM,\nand the Division of Risk, Strategy, and Financial Innovation who had\nresponsibilities related to safeguarding sensitive and proprietary information\ncollected by and exchanged with the FSOC, its member agencies and the OFR.\nIn addition, we reviewed SEC\xe2\x80\x99s regulations and policies and procedures related\nto safeguarding sensitive and proprietary information. We also reviewed relevant\nfederal regulations, laws, and guidance.\n\nManagement Controls. We did not assess SEC\xe2\x80\x99s management controls\nbecause it did not pertain to the objectives of this audit. We reviewed existing\ncontrols the Commission considered specific to the Working Group\xe2\x80\x99s\nQuestionnaire. To thoroughly understand the Commission\xe2\x80\x99s management\ncontrols pertaining to its policies and procedures and methods of operation, we\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                       Page 15\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix II\n\n\nrelied on information the agency provided OIG as supporting documentation to\nthe questionnaire and during follow-up interviews we conducted with Commission\npersonnel.\n\nUse of Computer-Processed Data. We did not assess the reliability of any\ncomputer-processed data because it did not pertain to the objectives of this audit.\nFurther, we did not perform any tests on the general or application controls over\nSEC\xe2\x80\x99s automated systems because such tests were not within the scope of our\nwork. The information that was retrieved from these systems, as well as the\nrequested documentation provided to us, was sufficient, reliable, and adequate to\nuse in meeting our stated objectives.\n\nPrior Audit Coverage\n\n   \xe2\x80\xa2\t OIG report 2011 Annual FISMA Executive Summary Report, Report \n\n      No. 501, February 2, 2012. This report contained 13 \n\n      recommendations to strengthen the SEC\xe2\x80\x99s controls over\n\n      information security.\n\n   \xe2\x80\xa2\t OIG report Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program, \n\n      Report No. 497, dated August 11, 2011. This report contained 13\n\n      recommendations to strengthen OIT\xe2\x80\x99s continuous monitoring\n\n      program.\n\n   \xe2\x80\xa2\t OIG report Assessment of the SEC\xe2\x80\x99s Privacy Program, Report No. 485,\n      September 29, 2010. This report contained 20 recommendations to\n      improve the Commission\xe2\x80\x99s security posture for protecting Personally\n      Identifiable Information.\n   \xe2\x80\xa2\t OIG report Evaluation of the SEC Encryption Program, Report No. 476,\n      March 26, 2010. This report contained three recommendations to improve\n      the Commission\xe2\x80\x99s encryption program.\n   \xe2\x80\xa2\t OIG report Evaluation of the SEC Privacy Program, Report No. 475,\n      March 26, 2010. This report contained one recommendation to improve\n      the Commission\xe2\x80\x99s privacy program.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected and Exchanged with FSOC/OFR   March 25, 2013\nReport No. 509\n                                       Page 16\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix III\n\n\n                                     Criteria\n\nDodd-Frank Wall Street Reform and Consumer Protection Act, Public Law\nNo. 111-203, July 21, 2010. Reformed the financial regulatory system, including\nhow financial regulatory agencies such as the SEC operate, and mandated that\nthe SEC undertake a significant number of studies and rulemakings, including\nregulatory initiatives addressing derivatives; asset securitization; credit rating\nagencies; hedge funds, private equity funds, and venture capital funds; municipal\nsecurities; clearing agencies; and corporate governance and executive\ncompensation. Created CIGFO.\n\nMemorandum of Understanding Regarding the Treatment of Non-public\nInformation Shared Among Parties Pursuant to the Dodd-Frank Wall Street\nReform and Consumer Protection Act, April 15, 2011. Sets forth the parties\xe2\x80\x99\nunderstanding with respect to the treatment of nonpublic information that is\nobtained or shared among the parties in connection with or related to the\nfunctions and activities of FSOC or OFR.\n\nSECR 23-2a, Security-Safeguarding Non-Public Information, January 21,\n2000. Establishes general policies and procedures for safeguarding nonpublic\ninformation.\n\nSECR 24-04-A01, Rules of the Road. Provides guidance on the handling and\nsafeguarding of nonpublic or sensitive information, including its transmission and\nstorage.\n\nImplementing Instruction 24-04.02.01(01.0), Sensitive Data Protection, April\n6, 2006. Provides a uniform process for defining SEC\xe2\x80\x99s sensitive information for\nthe purpose of information technology security and management.\n\nNIST Special Publication 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations. Provides\nguidance related to the steps in the risk management framework that address\nsecurity control section.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR    March 25, 2013\nReport No. 509\n                                       Page 17\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix IV\n\n\n                     List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should develop controls that prevent\nremote users from saving files accessed using Outlook Web Access to public\ncomputers.\n\nRecommendation 2:\n\nThe Office of the Chairman in coordination with the Office of Information\nTechnology should assign points of contact to serve as information owners for\nsensitive and nonpublic documents provided to, or received from the Financial\nStability Oversight Council (FSOC), the Office of Financial Research or FSOC\xe2\x80\x99s\nmember agencies.\n\nRecommendation 3:\n\nThe Office of the Chairman in coordination with the Office of Information\nTechnology should ensure a system or protocols are developed to identify and\ntrack all sensitive and nonpublic information provided to, or received from the\nFinancial Stability Oversight Council (FSOC), the Office of Financial Research or\nFSOC\xe2\x80\x99s member agencies. This system should track information owner\xe2\x80\x99s name,\ndate information is received/sent, who the information is sent to/received from,\nand media used (e.g., CDs, thumb drives, etc.).\n\nRecommendation 4:\n\nThe Office of the Chairman in coordination with the Office of Information\nTechnology should ensure documented procedures are developed to assure\nindividuals that serve as information owners for sensitive and non-public\ninformation provided to, or received from the Financial Stability Oversight Council\n(FSOC), the Office of Financial Research or FSOC\xe2\x80\x99s member agencies, properly\nmark the documents (or files containing documents) according to the sensitivity\nlevel.\n\nRecommendation 5:\n\nThe Office of Acquisitions, in coordination with the Office of Information\nTechnology should ensure that new contractors with the Commission are given a\ncopy of the \xe2\x80\x9cRules of the Road\xe2\x80\x9d to read and sign indicating they will adhere to the\npolicy before they are given access to the agency\xe2\x80\x99s systems.\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR     March 25, 2013\nReport No. 509\n                                       Page 18\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                                                       Appendix V\n\n\n                             Management Comments\n\n\n\n\n\n                                        MEMORANDUM\n                                             March 22, 2013\n\n\n\nTo:             Jacqueline Wilson, Assistant Inspector General for Audits, Office of Inspector General\n\nFrom:           Erica Williams, Deputy Chief of Staff, Office of the Chairman ~\xc2\xb7 uJ~ 1(l~\\v\xc2\xb7--;j\xc2\xb7\\;.: J.,,.\n                                                                                            ~\n                Thomas A . Bayer, Chief Information Officer, Office of Information Technology \\\\ ~t\'Jrol. \'\n                                                                                                       l~\'"\' \'\\\n                                                                                                             I\n                                                                     ~..J-et\n                                                                                                                 1\n\n                Vance Cathell, Director, Office of Acquisitions   0"\'o-v\'       I\n                                                                               ~\xc2\xb7\n                                                                                             \xe2\x80\xa2   ,\\,            \\I\n\n\n\n\nSubject:        Management Response, SEC\'s Controls Over Sensitive/Non-Public Information Collected\n                and Exchanged With the Financial Stability Oversight Council and Office of Financial\n                Research, Report No. 509\n\n\n\nThank you for the opportunity to comment on the recommendations in the report annotated above, as\nwe work together to protect the sensitive and non-public nature of information co llected by and\nexchanged with the Financial Stability Oversight Council (FSOC) and Office of Financial Research (OFR).\nThe scope of the Office of Inspector General\'s audit included a survey of the SEC\'s controls and protocols\nthe SEC applied to safeguard from unauthorized disclosure and track sensitive and non-public\ninformation that was collected by or exchanged with FSOC, its member agencies and the OFR. The\nscope of the audit did not include an inquiry into whether there was any unauthorized disclosure of\nconfidential information. We appreciate the Office of Inspector General\'s insights on the SEC\'s controls\nand protocols and are providing the official response from the Offices of the Chairman, Information\nTechnology, and Acquisitions.\n\n\nRecommendation 1: "The Office of Information Technology should develop controls that prevent\nremote users from saving files accessed using Outlook Web Access to public computers."\n\nManagement Response: The Office of Information Technology concurs and will evaluate blocking\nattachments through Outlook Web Access (OWA) on public computers and educating users on the\ndifference between SEC-owned, private and public computers and t he respective security risks through\nthe annual Security Awareness Training\n\n\n\nRecommendation 2: "The Office of the Chairman in coordination with the Office of Information\nTechnology should assign points of contact to serve as information owners for sensitive and nonpublic\ndocuments provided to, or rece ived from the Financial Stability Oversight Council (FSOC), the Office of\nFinancial Research o r FSOC\'s member agencies."\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                                  March 25, 2013\nReport No. 509\n                                                    Page 19\n\n                                  REDACTED PUBLIC VERSION\n\x0c                                                                                             Appendix V\n\n\n\n\n  Management Response: The Office of the Chairman concurs and will assign points of contact.\n\n\n\n  Recommendation 3: "The Office of the Chairman In coordination with the Office of Information\n  Technology should ensure a system is developed to identify and track all sensitive and nonpubllc\n  information provided to, or received from the Financial Stability Oversight Council (FSOC), the Office of\n  Financial Research or FSOC\'s member agencies. This system should track information owner\'s name,\n  date information Is received/sent, who the information is sent to/received from, and media used (e.g.,\n  CDs, thumb drives, etc.)."\n\n  Management Response: The Office of the Chairman concurs. The SEC FSOC point of contact will work\n  with the FSOC OFR member agencies to come up .with a consensus on data tracking when exchanging\n  data within the FSOC OFR member agencies. The Office of the Chairman will e nsure a system for\n  tracking sensitive FSOC-related information is established consistent with the signed Memorandum of\n  Understanding among member agencies and consensus procedures.\n\n\n\n  Recommendation 4 : "The Office of the Chairman In coordination with the Office of Information\n  Technology should ensure documented procedures are developed to assure individuals that serve as\n  information owners for sensitive and non-public information provided to, or received from the Financial\n  Stability Oversight Council (FSOC), the Office of Financial Research or FSOC\'s member agencies, properly\n  mark the documents (or files containing documents) according to the sensitivity level."\n\n  Management Response: The Office of the Chairman concurs. The SEC FSOC point of contact will work\n  with the FSOC OFR member agencies to come up with a consensus on marking flies or documents. OIT\n  will assist the FSOC point of contact in developing internal procedures. The FSOC Data Committee\n  Working Group is engaged in discussions concerning the proper labeling and handling of FSOC data.\n\n\n\n  Recommendation 5: "The Office of Acquisitions, In coordination with the Office of Information\n  Technology should ensure that new contractors with the Commission are given a copy of the "Rules of\n  the Road" to read and sign indicating they will adhere to the policy before they are given access to the\n  agency\'s systems."\n\n  Management Response: The Office of Acquisitions concurs. The Office of Acquisitions Is committed to\n  supporting the Office of Information Technology in improving controls over SEC information. We will\n  coordinate with OIT to Implement your recommendation.\n\n\n\n\nSEC\xe2\x80\x99s Controls Over Information Collected/Exchanged with FSOC/OFR                           March 25, 2013\nReport No. 509\n                                                Page 20\n\n                                REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas\n\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'